Posted
by
timothy
on Saturday November 03, 2012 @10:19AM
from the or-maybe-it-goes-without-saying dept.

An anonymous reader writes "Security firm Kaspersky has released its latest IT Threat Evolution report. There were some interesting findings in the report, as always, but the most interesting thing that stuck out was all the way at the bottom: 'Microsoft products no longer feature among the Top 10 products with vulnerabilities. This is because the automatic updates mechanism has now been well developed in recent versions of Windows OS.'"

Less surprising is that the top vulnerabilities are Oracle's Java and Adobe products. In fact, Adobe can claim 5 of the top 10. Too bad I still have Reader and Flash on my system, but Java was purged from my system about a week after I stopped doing Java development.

Less surprising is that the top vulnerabilities are Oracle's Java and Adobe products. In fact, Adobe can claim 5 of the top 10. Too bad I still have Reader and Flash on my system, but Java was purged from my system about a week after I stopped doing Java development.

Just to reinforce the picture of Java as crapware, it blows my mind that Oracle packages shit like the Ask Toolbar in the regular security updates and you have to uncheck a box in order to prevent its installation. Oracle is a Zynga-level company.

The Ask Toolbar is integrated with the Java download. During the installation of Java, users are presented with an option of downloading the Ask Toolbar

Also, although it's fixed now, for a time, you couldn't direct link to the Win x64 JRE. It forced you through a page, that would check your browser and give you a x32 if your browser was 32bit. I used to have to fire up IE 64 on Server 2008 to grab a JRE to install on my 64bit os.

I'll at least say that Adobe is getting it. All of their newest versions of reader and Flash have the option to automatically update without prompting.

Oracle has no clue. If anyone reading this works for Oracle, I want you to do the following. Also, If you know someone who works for Oracle. Please forward this to them and ask them kindly to follow the instructions below.

1) Walk into the office of the person who writes the update system for Java.2) Scream at the top of your lungs "AUTOMATICALLY INSTALL UPDAT

Adobe's getting the autoupdate part, but they're using it as a crutch for their inability to test code thoroughly before publishing. Auto-updating is great to have and good to use, but when the same product is being updated every few weeks (maybe sooner...I just go by how often Adobe updates whenever I reboot my machine) for years on end, it should tell the product management something.

Given that the JRE comes with a complimentary browser toolbar that you have to manually uncheck in the installer (for each update) and that Flash can't be installed without closing every browser, I want neither of those components to automatically update itself. Asking me is fine but as long as their update routines want to install crapware (or require manual intervention in the case of Adobe) fully automatic updates don't seem like a particularly good idea.

They don't understand that in businesses, you don't run users as admins, which is what the Adobe Updater appears to require for autoupdates.

What they need to do is bring out a decent admin tool like WSUS for their products which enables centralized administration. Ditto Apple, Firefox, Java and a truckload of other software that would probably have a bigger market share if they just understood that where business is concerned with patching and security; Microsoft 'just gets it'. That's one of the key reasons why IE is the business browser of choice, because patching it is easy and quick, not convoluted and frustrating.

Reader's automatic updater works without admin rights on Vista or newer, but requires a background service. Flash Player's works on XP or newer without admin rights, and fires from Windows Task Scheduler just like Google Chrome's.

Is it just the windows version of java? What about tomcat and other enterprisey java packages? Do they suffer from the same flaws?

Not nearly so much. They don't use the same model as java-in-the-browser, and so don't suffer from the same threats. You have to work at it to make tomcat insecure from its Java nature; though you can of course deliberately install insecure webapps in it, that's about as significant as running bad CGI scripts inside Apache: idiots will be idiots and crap programmers will be crap programmers.

Enterprisey Java programs tend to not run arbitrary code that someone "out there on the web" specifies. In fact, they

Not surprising I guess but that means if you avoid flash and Java you are a long way to avoiding problems (outside of the normal AV and update activities). Both are really hard to avoid in the modern world though. I wonder when does Oracle start getting a bad rep for security out of this? Will customers start wondering about dropping $100k on a db server from the same company that got there phone hacked with a 3 month old bug?

It is becoming less relevant. Still it is bad that Microsoft does not disclose the source code of its applications. That means thousands of unfixed security vulnerabilities that otherwise would be found.

So you are assuming that all those OSS apps out there are perfect just because you can get the source code??

Please! 99.9% of users can't fix a simple buffer overflow crashing their apps, never mind obscure stuff. Just because there is code available, does not make it more secure! Aside from the main projects, you end up with 1 or 2 part time devs, not hundreds of devs. Code quality is all over the place.

Just look at the code quality in Debian archive. It is all over the place! Some of it is excellent. Most

A small correction, but the end user focused software my MS is becomming less relevant. That's where most of the bugs always were, and that's exactly what people are not using anymore. Server software is also getting less relevant, but it doesn't matter on this context. Kernel and libraries are as relevant as they always were (ok, a tiny bit less).

What is gaining relevance now is the crapware that people must install because Windows does nothing out of the box.

Anytime a vulnerability occurs on a multi-platform application it shows up on all of the platforms. The only time this doesn't happen is if the application/library has multiple sources - then it depends on the distribution.

The Java problems are most likely in the runtime that was open sourced - but still in use by both sources of the runtime.

This article is nothing but Softie cheerleading without any meat. You have to go to the report itself for any real facts.

Indeed, this paragraph explains *why* Java exploits are common in the wild.

Java vulnerabilities were exploited in more than 50% of all attacks. According to Oracle, different versions of this virtual machine are installed on more than 1.1 billion computers. Importantly, updates for this software are installed on demand rather than automatically, increasing the lifetime of vulnerabilities. In addition, Java exploits are sufficiently easy to use under any Windows version and, with some additional work by cybercriminals, as in the case of Flashfake, cross-platform exploits can be created. This explains the special interest of cybercriminals in Java vulnerabilities. Naturally, most detections are triggered by various exploit packs.

In other words, if you do auto-updates of java and stuff like it, you are far less vulnerable. I don't think Windows even has a facility to do this, one must roll one's own for each package.

But you can't do auto-updates of Java, otherwise other stuff on your machine stops working.

Java is sufficiently flaky that it's very common for particular applications to need particular versions very carefully installed and configured, so you end up with several versions on your machine - allowing auto-update is a recipe for utter chaos.

But you can't do auto-updates of Java, otherwise other stuff on your machine stops working.

Java is sufficiently flaky that it's very common for particular applications to need particular versions very carefully installed and configured, so you end up with several versions on your machine - allowing auto-update is a recipe for utter chaos.

This. For those running eBusiness Suite and also have to use sites with applets, companies are caught between the rock of having to update Java to keep your browsers happy and the hard place of incompatibility of applications with newer versions of Java. Yes, you can load multiple versions of Java, but keeping things automatically updated, and keeping each application/browser using the correct JVM? Ouch. The recent issues over the past few months with poorly executed changes in the security model (broken applets that leverage AJAX), Apple's insistence (now abandoned) on distributing its own, outdated Java, and the mediocre UI stack make Java on the desktop a nightmare. I love my glassfish servers, but Java needs to be abandoned on the desktop. I think most people have given up on "write once, run anywhere", they would settle for "write once, run consistently". The Java brand suffers because of the desktop nonsense, which is a shame because it is so powerful and useful on servers.

#Java is sufficiently flaky that it's very common for particular applications to need particular versions very carefully installed and configured . .

Exactly. I do work for a client that uses Primavera - which we have to access thru a browser for all records and communication on their construction projects. A recent update to their installation required us to install a very particular Java version that is not at all up-to-date or secure, fuck whatever else we might need Java for. The kicker is that both Java and Primvera are Oracle products.

Yep. I have some Dell blade chassis that require a very very specific version of Java. The next iteration of Java after that fails to start the console for access to the blades. I installed VirtualBox with Windows XP and the specific version of Java (something like 1.4.14 where 1.4.15 fails) so I can continue to manage the Dell chassis. Fortunately we're in the process of replacing them with newer equipment so I can flush the XP VM.

The article is about the most common vulnerabilities on "pc's with kaspersky software installed": it is not about most secure software. This report just says that many people, who use kaspersky, do not keep updated their java and flash. Secunia rates the unpatched vulnerabilities of Windows 7 as highly critical [secunia.com]. It's just that big companies (the most likely customers of kaspersky) don't use W7 as much as Java.

Cracking and Virus writing has NEVER been about the number of systems like the MS fanbois love to claim. It has always been about what is easier to attack. At this time, all of the other systems need to focus on security as well. Regardless, this reminds me of the bear joke:
bear coming in the back of a tent, and one guy putting on shoes. Other screaming that they have to outrun the bear, and asks first guy why putting on shoes. He says that he does NOT have to outrun the bear. He simply has to outrun the o

Cracking and Virus writing has NEVER been about the number of systems like the MS fanbois love to claim. It has always been about what is easier to attack.

Um, it's about both. Cracking and virus writing these days is mostly about making money. When your primary goal is to make money, you go for the low hanging fruit: Easy to find exploits that exist on as many systems as possible = biggest bang for your cracking/virus writing buck.

Actually, even the low-hanging fruit isn't enough. Malware is an illegal business; engaging in it has risks. Hypothetically, if I could write the code for an OS X botnet worm at no cost (say, an evening of my own time), and earn $10 for each Mac infected, or spend $500000 (say, a government project) developing something equivalent for Windows, the Windows option is by far the better one even though OS X is the low-hanging fruit. Once you've managed to infect 50k more Windows boxes than OS X ones - which wil

MS products do not have top vulnerabilities, but they are still top targets: most malwares are still designed for Windows. It is just that the attackers reach the target by different vulnerabilities. It is therefore still true that using Windows poses a risk.

Parent is correct - although a little hyperbolic. Windows is no longer the 800 lb gorilla - Apple iOS is.

The market trend is towards more mobile type of computing and less desktop related type of things. Yes, yes, yes, I know that you need a desktop for "real" work, but many many others don't. Most of what I need to do can be done on a tablet or smartphone - where Windows has a very small market share.

Also, generally desktops are being kept longer and longer because there's really no need to keep doing so.

The desktop is not going away any time in the forseeable future. People have been saying for almost 10 years now how the desktop was dead, and everyone would have laptops, yet desktops persist. Enthusiasts and gamers keep the desktop alive. Beige boxes are almost half of all desktops sold, and they are also a growing market. Laptops are also preferred by a very many people. They are effectively just desktops with screen and batteries attached. Tablets are new and great, and I forsee laptops becoming

While I agree with you in general, there are actually apps which are developed on smartphones. As an example, WP7 has an app (written by MS) called "TouchDevelop" that's basically a touch-oriented scripting engine. It supports packaging scripts developed with it as apps and submitting them to the store, and some people have taken advantage of this.

It's slow and has an unfortunate effect on battery life when running anything remotely real-time, but it works, it's free, and it's really easy to use... and it's

First off, there are more android installs than iOS, and a lot of them are older versions which aren't getting updates etc. I see what google et.al. are doing but that market fragmentation will eventually be a security nightmare.

Secondly, MS moves something like 250 million copies of windows a year, and yes, turnover is going down, but that means there are still a billion windows PC's in the wild. The smartphone market has much higher turnover, in part because of carrier subsidies and the noticeable performance improvements still happening, and in part because cell phones are just much more likely to physically fail than a desktop, so I would be surprised if there are 300 million iOS devices in the wild at all. Officially they've sold 400 million iOS devices (http://news.cnet.com/8301-13579_3-57511323-37/apple-by-the-numbers-84m-ipads-400m-ios-devices-350m-ipods-sold/) through june, but a LOT of those are replacements for older iOS devices at this point (it would be a bit like MS talking about how many copies of windows it has sold since 2007 versus how many are actually in use).

Lastly, a lot of mobile devices may have vulnerabilities than can be exploited but that don't put users at risk because users don't behave in a way that exposes them to much risk. If you aren't regularly grabbing new apps, or trying to click links in e-mails or the like, well, you're not a power user but you're not at a great deal of risk either. The only person on an island doesn't really gain much by locking their door sort of thing. And we all know hackers are after things worth money. Desktops are worth money, banking information is worth money, (and banking is becoming more popular on smartphones to be sure), pictures of naked women are worth money (and those are certainly on phones....), but it's hard to know if hackers, especially serious ones, are going to refocus on desktops, because now if you have a desktop you're probably a serious productivity person, which means you have something worth stealing.

Extortion, sourcing of underage material without being responsible for its production, advertising revenue from high traffic sites.

Imagine you did a data dump of all of the women in (e.g.) the netherlands on facebook. And posted it on a website, where it could be indexed, rated searched etc. You'd probably get a huge crush of traffic, and traffic = revenue.

You're thinking from the perspective of a product - you don't need to pay because someone else is monetizing you visiting their site- which is true, wh

this goes to the 'only one on an island not needing to lock their door'. Windows phone is too small to matter much - it's not like MS products don't have known, exploited vulnerabilities, just in terms of the most exploited ones they aren't that bad. They seem to be reasonably on top of fixing things overall. At least relatively to Java and Flash.

I agree it's hard to judge as an entire marketplace. I mean Microsoft might not be on he list cause the PC to tablet market is so different number wise. I would like to see a top 10 for PC then top 10 for smartphones. Plus like mentioned people due get longer out of PCS then phones and tablets not just due to build but because PCS can be repaired where phones and tablets are disposable.

Windows 7 is the best desktop OS. Secure enough, runs fast, smooth, stable, and all software and hardware works. OSX is pretty good too, but you have to buy expensive hardware to get it, and the software selection (especially regarding games) is more limited.

Well to be fair for the the majority of/. readers we aren't in the cheap desktop market. For one reason or another we'll find a way to drop 2k+ on our laptops and desktops. We're devs, or gamers, or video processing nerds, or guys that measure their worth by their massive stash of pirated material and seed ratio etc. Either way we seem to all want some combination of SSD, big disk capacity, massive monitor, top of the line CPU, etc. Apple gear might not be great value but they don't target the low end of the market and we generally aren't there anyways.

Ever since I swore off Apple products (thank you OS X Lion for that revelation...), I've been repurposing and having a blast.

I spent $300 on a scratch and dent Dell Athlon (from the Dell Outlet, with surprisingly few scratches), put Debian on it, added 2GB of RAM (for a total of 6), a $35 power supply upgrade and a $20 video card off eBay.:) My secondary machine is an original Athlon XP I got for $40 off eBay, also running Squeeze. (It needs more RAM though.)

Good for you. Really, I mean that. All of those old components that you save and use later are a little bit of good karma for you.

I've been managing to keep 4-5 computers going (one for each of our family members and a shop machine) and we only buy a new machine maybe once every 5 years. I save every single component, I reuse, repurpose, etc. I don't throw anything away until it is broken beyond use. But, I do not collect other peoples junk. We occas

Thanks for the support. I sometimes get blank stares when people hear what I do with computers in my spare time.:) My only weakness is my desire to find the perfect keyboard.:) I had one once... but I traded it for some other parts many moons ago.

I just ordered a Celeron 867 based machine: Zotac ZBox-Nano-ID61-E. It was on sale -20% at my favourite online shop. Got it for 154,53€. Barebones, so it lacks RAM: 27,53€ and a harddisk/SSD, of which I happen to have one lying around. Still, even if I had not: 2.5" 500GB HDD it's 46,99€. Grand total of: 229,05€, which includes VAT. Round up to 240€ for shipping and you have a nifty power-sipping machine that is most likely better than your average Athlon.

Really, that's what I did with the Dell. I wanted a 64-bit machine on the cheap that had decent hard drive space out of the box, but was standard enough to upgrade when I need it (I've had this Dell now for about 2 years or so.) I also check barebone bundle prices from time to time just to see if there's a great deal I can't live without (so far, my price ceiling is about $400.):) I know there are a few bundles I am keeping my eye on, but I haven't found a need for an 8-core Athlon with 16GB of memory.:)

I built my mom a AMD-A6 3650 with 16GB RAM. Given, I had all the other stuff (nice case, etc..) already since it was the motherboard of her machine that started to get flaky, the upgrade was only 250€ or so... The price difference for "classical" 4GB was negligent. Sure, it's not octo-core, but quad-core. Sure, she has no use for it, but why not? Incidentally: that was a CPU/Motherboard combo on sale too.

You do realise that older computers use more electricity than newer ones don't you? So by solely using older computers you are actually using more electricity and thus they are costing you more money for less performance. Keeping up-to-date is not solely about power but also about power consumption.
My new computer which is about 5x faster than my old one also uses about 100w less.

Rather, you are buying software + hardware when you go with Apple. Good software costs money. You seem to be coming from the Windows world where the software costs can easily be broken out. I choose not to go that route simply because I do not like the way Windows works. I'd rather have a really nice gui on top of a 'nix for when I have to get down and dirty. MS software always struck me as rinky-dink, no forethought, and as Jobs put it, no taste.

Just an FYI, Windows 7 Ultimate has a full Unix layer. As for the rest, beauty is in the eye of the beholder. I've yet to find anything I like about the appearance of Apple's software. Their hardware looks ok though, but they aren't unique in that regard these days either.